With Internet Explorer 9, Microsoft has succeeded in building a fast, standards-compliant browser with a clean, modern design that integrates well with Windows 7. But is that enough to preserve its dominance in the workplace? Can it lure defectors back and excite web developers? We’re about to find out.

With Internet Explorer 9, Microsoft gets to show off some of its best work to an audience that is increasingly indifferent and hard to please, and in some cases downright hostile and dismissive. It is not an enviable task.

By any objective standard, Microsoft has succeeded at the task it set out to do: build a fast, standards-compliant browser with a clean, modern design that integrates well with Windows 7. But is that enough to preserve its shrinking lead in an increasingly competitive field of browsers? Can it convince defectors to end their experiments with Google Chrome or Mozilla Firefox and return to the fold? Can it excite web developers and kick up its own tempo to keep up with younger, faster competitors? We’re about to find out.

Today in San Francisco, Microsoft is scheduled to officially unveil the release candidate for IE9. Years ago, I probably would have waited until the final shipping code to do a formal review. In the new, engineering-driven Microsoft, the RC label means exactly that: this is ready-to-ship code, out for one final spin to smoke out those pesky bugs that hide so well from automated testers. It’s ready to review. (To answer your question preemptively: No, Microsoft isn’t offering any hints on when the final release will be ready.)

I’ve been running an escrow version of the IE9 RC for several weeks, on a variety of desktop and notebook PCs, and earlier this week upgraded to the final RC bits. It is a solid, polished package, and I have no trouble recommending it to anyone running Windows 7 or Windows Vista. (Sorry, XP users. This is yet another reason to upgrade your OS.)

You will find echoes of other modern browsers throughout IE9. But this is no clone or copycat, and in fact it has a few features that other browser developers would be wise to copy. IE9 has its own distinct personality and visual style, especially when compared side by side with archrival Google Chrome.

The basic design of IE9 should come as no surprise if you’re one of the 23 million or so people who downloaded and installed the IE9 beta between its September 15 release and now. I’ve already looked at that build in great detail; if you haven’t seen my Internet Explorer 9 beta review: Microsoft reinvents the browser , I highly recommend that you go back and read it, just so you can get up to speed.

I won’t repeat my observations from the beta review here. Instead, I want to focus on some of the new features that have been added post-beta. Pinned Sites can now include multiple tabs, for example. There’s a new, very impressive Tracking Protection feature that gives users the upper hand (at least for now) in the ongoing skirmish with advertisers and marketers over online privacy. And if you’ve avoided IE because it lacks a way to block Flash-enabled sites, pay attention: the RC adds a new feature called ActiveX filtering that could easily be called FlashBlock Plus.

Ultimately, this long-awaited IE upgrade is a conservative and populist product. Much of its design is data-driven, based on input from the two biggest sectors of Microsoft’s enormous Windows-using base: managed corporate networks and nontechnical, mom-and-pop PC buyers. That focus creates an inherent bias to make things simpler, with fewer options. The resulting product might be a little too simple for browser elitists or those who prefer lots of tweaking options.

If you gave up on IE years ago because it was slow or buggy or insecure, it’s worth taking a second look at IE9, now that the beta label has been removed. (The installation is pretty low-risk: It’s easy to uninstall, and you can continue using your current browser as the default while you test.)

Performance in this build of IE9 is noticeably improved over the beta and better than any IE version I’ve ever seen. As usual, I'll leave it to those with better lab setups to perform the detailed benchmarks, but in my experience, IE9 can keep pace with the fastest modern browsers. It no longer deserves to be called a slowpoke. Using the GPU for some page rendering tasks makes an especially big difference in performance.

Many of the most significant changes in IE9 are future-oriented, with solid support for HTML5, CSS3, and other emerging standards. Those changes are a big deal to developers, but it might be months or years before you see those technologies in widespread use. Meanwhile, IE9 does a decent job of coping with compatibility issues for current web pages that were designed for earlier IE versions.

In the rest of this review, I’ll look more closely at the IE9 user experience, at privacy and security features, and at how well it handles the crucial sticking points of performance and compatibility.

The IE9 user experience

You can almost see the tiny hairs rise on the back of an IE9 developer’s neck if you describe the browser as minimalist . It’s refined , you are told. It is site-centric. Since the beta, IE’s designers have done even more refining and polishing. They've shaved a few pixels off the browser’s frame. Elements in the UI that add noise and distraction are hidden (although you can easily restore the status bar, the Favorites bar, and the Command bar if you are willing to sacrifice some screen real estate for information). The browser’s chrome doesn’t compete for your attention with the page you’re viewing.

By default, IE9 puts the address bar and the browser tabs on the same row. That saves a lot of space compared to the default configuration in Chrome (57 pixels for IE9 versus 81 for Chrome, by my calculations). Here, see for yourself:

If you keep a relatively small number of browser tabs open at any one time, this arrangement works well. According to Microsoft, 99% of the IE9 sessions they’ve tracked during the IE9 beta have 8 open tabs or fewer (a session is a single frame window). That leaves enough room to see the title for each tab without consuming too much space.

But that 1% of tab-heavy sessions inspired what Microsoft characterizes as “super vocal feedback.” (Translation: beta testers screamed bloody murder.) Bowing to the pressure, Microsoft added a new customization option in the RC: the ability to position the tabs on a separate row, below the address bar. (No, there’s no option to move the address bar above the tabs.) Even in that configuration the IE9 layout is still 1 pixel more efficient than Chrome. And as a close look at the IE UI demonstrates, the claim that IE9 is a Chrome clone is just not accurate.

Another new feature that wasn’t in the beta is the ability to navigate directly to a pasted URL. Chrome and Safari offer a Paste & Go option when you right-click in the address bar. IE9 lets you right-click anywhere on the page and choose Go To Copied Address from the shortcut menu (if the Clipboard text isn’t a valid URL, the option is Search Using Copied Text). The effect is the same.

As the hint at the end of the menu item advises, you can also use the keyboard shortcut Ctrl+Shift+L.

In my beta review last September, I pointed out that IE9 is at its most effective when paired with Windows 7, where you can pin a web site shortcut to the taskbar and treat it as if it were an application. In the RC, Microsoft has improved this feature by giving you the ability to have multiple home pages associated with a single Pinned Site. In my case, I can keep the ZDNet home page, the WordPress editor, and Google Analytics in a saved group, pinned to the taskbar where they’re a click away.

A web site developer who takes advantage of the ability to create custom jump lists can really make a site shine. Amazon.com, for example, has done a good job of making these swipe-and-click menus useful for site visitors. And a new feature in the RC makes it possible for a developer to add a snippet of code to any element on a page so that it becomes draggable or pinnable.

One problem I noted with Pinned Sites in the beta release is that add-ins don't work, Microsoft says that's by design. The result, unfortunately, is that popular password managers like LastPass and RoboForm aren't available in Pinned Sites. If your credentials aren't cached, you'll have to enter your username and password manually.

Two flaws in the beta made a disappointment out of IE9’s all-in-one address and search bar (called, not surprisingly, the One Box). Both have been fixed for the RC. You can now use advanced search syntax in the One Box (like IE9 review ed bott site:zdnet.com ) and get the results you’re looking for. If the search doesn’t return the right results, you can now click to return to the search box with your previous query intact, after which you can edit the search terms or switch to an alternative search engine. After six months of using this approach, I have no desire to return to a separate search box, and I rarely open the Favorites list.

Finally, Microsoft has refined (there’s that word again) its handling of notifications. Beta testers complained that some notifications were “nagging,” such as those indicating that a pop-up has been blocked. In the RC, those alerts now disappear automatically instead of hanging around indefinitely. Conversely, a few notifications were a little too subtle. The notifications for background downloads has added some subtle animation to help make it more obvious when the download is complete.

Privacy and security

Internet Explorer has a reputation for insecurity, earned mostly during the middle of the last decade, when black-hat hackers turned IE6 into a punching bag. With subsequent releases, IE has been hardened significantly, and IE9 adds some serious layers of protection for security and privacy on top of what was already a decent infrastructure. You can see the full selection in the Safety menu, which is available from the Tools button (Alt+X) at the far right of the row containing the One Box and tabs.

Features like Protected Mode, which sandboxes IE processes and prevents rogue apps from infiltrating into higher-integrity processes, were already part of IE7 and IE8 on post-XP Windows versions. But a potentially much bigger addition to IE’s security underpinnings makes its debut in this release. It’s called ActiveX Filtering, and if you’ve ever wished for an IE equivalent to FlashBlock, your wish just came true.

Clicking ActiveX Filtering on the Safety menu acts like a master switch that universally disables all ActiveX controls on all sites. The most common ActiveX control these days, of course, is Adobe’s Flash Player. (Outside of the U.S., ActiveX is more commonly used, especially in banking applications, which makes the protection even more useful.) With ActiveX Filtering on, Flash content is silently disabled, with no prompts to install or re-enable the plugin. In my testing, this feature worked flawlessly; the only indication that content has been blocked is a subtle blue icon at the end of the address bar, which displays this message when clicked.

When you reach a site where you want or need Flash (or another ActiveX control), you can click the big Turn Off ActiveX Filtering button. That re-enables ActiveX controls, and the blocked Flash content appears as soon as you refresh the page. ActiveX Filtering is off by default, but as soon as you enable it you get a true opt-in system that works on a site-by-site basis. Any content that depends on ActiveX (including Flash) is completely blocked until you explicitly enable it for a site.

In terms of privacy, the big news in IE9 is a feature called Tracking Protection. Although the underpinnings of this feature were included with IE8, the In-Private Filtering feature was neutered before it was released, In one of Microsoft’s darker moments. (Although Google and Mozilla have both announced their own no-tracking features, their solutions are completely passive and their effectiveness depends on full cooperation from web sites and advertisers. Good luck with that.)

Tracking Protection in IE9 is off by default. When you enable it, though, it is active and aggressive. The most basic level of protection is a vastly improved version of In-Private Filtering. Turn the feature on and you can automatically or selectively block any HTTP requests from being sent by IE to a third-party site. Here’s what the personalized list of sites looks like on my system.

In this case, I've sorted the list to show which third-party sites are tracking my movements around the web. I could block them all, but instead I've told IE to reject all DoubleClick ads and several widely used analytics services. I've also blocked Facebook's JavaScript code while alllowing the Like button to work.

The more interesting and potentially revolutionary extension of Tracking Protection allows outside groups—consumer protection agencies, security firms, and so on—to create lists of sites that will be blocked. If you find a do-not-track list that you trust, you click a link to add it your browser’s configuration, and from that point on any sites on the list are automatically blocked. The originator of the list can update it at any time, and IE will periodically refresh its cached copy. It will be interesting to see whether consumer protection groups jump on this opportunity. (Update: EasyList, which develops AdBlock Plus, has announced support for IE9 Tracking Protection.)

It would also be nice if Mozilla and Google would adopt the same format for their privacy-blocking efforts, but I'm not holding my breath.

For me, the most satisfying part of enabling this feature was blocking—once and for all—those hideous pop-up ads disguised as double-underlined links, from sites like Kontera and Vibrant Media. One click of the Block button and those fake links vanished for good, without any requirement on my part to manage cookies or find the buried opt-out instructions from the ad provider. I’ve never been able to do that in any previous version of IE.

IE9’s Download Manager, in combination with its SmartScreen feature, does a serviceable job of flagging potentially unwanted software. My only complaint is that the blood-red warnings unfairly penalize small software makers, who might be perfectly honest but whose products are less likely to be installed after an unskilled user sees a warning like this one. (I've blurred the name to protect the innocent developer in this case.)

Browser security is an endurance match—a slugfest, really—between good guys and bad guys. With this release, Microsoft has given the bad guys enough of a challenge to keep them busy for a while—maybe even long enough to last till IE10 is ready.

Over the course of 18 months of development, with seven developer previews and one full-fledged public beta, Microsoft has steadily ratcheted page load times down and increased its score on common benchmarks for IE9. Performance, of course, is a moving target and affected by multiple variables, not the least of which is the network itself.

With that caveat out of the way, it’s clear that Microsoft has made huge strides in terms of performance. On the SunSpider JavaScript benchmark , for example, my installation of the IE9 RC beat a freshly installed copy of the current shipping release of Google Chrome (9.0.597.94) by roughly 5%. One reason for the improved performance, I was told, is due directly to work that was done for developers around timer resolution in JavaScript: finer-grained timers mean more responsive animation. They also have the potential to affect battery life, which is why the IE9 installer adds a new JavaScript Timer Frequency setting at the bottom of the Power Options dialog box for Windows 7:

Microsoft has also continued to invest in reducing the working set (RAM usage) for the browser. In a brief and hardly comprehensive test, I found that opening the same sequence of six tabs resulted in nearly identical memory usage between IE9 and Google Chrome 9, with a difference of less than 1%. That’s a huge improvement over IE8, where the identical set of pages required nearly 50% more RAM.

Compatibility is a constant headache for IE developers. Although IE9 should render most standards-compliant code exactly as the developer intended, some pages insist on applying tweaks aimed at fixing bugs and quirks in older versions. The solution is a compatibility view button (to force the browser to lay out pages as IE7 would do it) and a regularly updated compatibility view list. In the beta, I found myself hitting the Compatibility View button way too often. Page layouts were much more consistent in the RC. One bug I did notice appeared in pages at Engadget.com and right here at ZDNet, where attempting to select text resulted in odd cursor movements and a frustrating lack of success until I turned on Compatibility View.

I stumbled across one interesting change in the IE9 RC quite by accident while poking through the most recently downloaded Compatibility View list. At the end of the XML file was a long series of entries specifying GPU device IDs. According to Microsoft, that list allows them to fall back to software-based graphics acceleration and avoid performance issues with specific drivers or hardware—mostly older parts and drivers that are known to cause issues.

And finally, there’s HTML5, CSS3, and related technologies, which are still a moving target. This build adds support for CSS3 2D transforms. As a Microsoft spokesperson explained to me, “You get interesting effects with JavaScript, but you need this native support through CSS to get the best performance through the GPU.” There are also improvements in the Canvas spec, which should allow for more complex graphical operations.

The most intriguing new option I discovered while poking around in the advanced settings for IE9 was a box on the Privacy tab, under the Location heading, that allows you to control whether and when sites can request your physical location.

When I asked what that was all about, I was told that IE9 is “introducing support for geolocation, primarily for mobile use.” It’s built on the same location service and database that Windows Phone 7 uses for apps, although it’s not exposed in the Windows Phone 7 browser today. This feature has obvious benefits for mobile users running IE9 on Windows-powered notebooks, of course. But if one assumes that the IE9 code is destined to appear in Windows Phone 7 devices before the end of the year, it’s easy to speculate that those same features will be available in web apps on phones as well.

All of those new features, including HTML5 support, are extremely forward-looking, and at least some browser makers are treating HTML5 as their own private playground rather than as a cross-platform showcase. Most of the HTML5 sites on the web today are experimental, and a fair number are designed to show off one particular company’s hardware and software. That might explain why I had trouble even running HTML5 demos from Google and Apple in IE9. (Ironically, Microsoft's HTML5 Test Drive demos load just fine in Chrome.)

There’s still a long way to go before the standards themselves are solid enough to make developers confident enough to build rich apps, and there are plenty of HTML5 and CSS3 bugs in all the major browsers today to discourage all but the most bleeding-edge web designers. But laying down this framework and getting it right is an important step.

Microsoft released Internet Explorer 8 in March 2009. It’s likely that the final release of IE9 will come roughly two years after that. By IE’s standards, that’s a modest improvement in productivity. By the standards of every other browser maker, it’s almost glacially slow. As I noted last summer , no less an authority than Bill Gates suggested that Microsoft needs to be “unbelievably agile” with browser development, shipping new releases every 9-12 months. Two-year gaps won't cut it.

Those years of development weren’t wasted. What Microsoft has delivered is a great base that fixes many of the worst flaws in Internet Explorer. The real question now is whether Microsoft can deliver a steady stream of improvements on top of that base at a rapid pace that will win back the hearts and minds of developers and enthusiasts.